On Friday, cybersecurity journalists Brian Krebs and Andy Greenberg reported that as many as 30,000 organizations had been compromised in an unprecedented email server hack, believed to have originated from a state-sponsored Chinese hacking group known as Hafnium.
Over the weekend, that estimate has doubled to 60,000 Microsoft Exchange Server customers hacked around the world, with the European Banking Authority now admitting that it’s one of the victims — and it looks like Microsoft may have taken a little too long to realize the severity and patch it. Krebs has now put together a basic timeline of the massive Exchange Server hack, and he says Microsoft has confirmed it was made aware of the vulnerabilities in early January.
That’s nearly two months before Microsoft issued its first set of patches, alongside a blog post that didn’t explain the scope or scale of the attack. Originally, it was even planning to wait for one of its standard Patch Tuesdays but relented and pushed it out a week early.
Now, MIT Technology Review reports Hafnium may not be the only threat, citing a cybersecurity analyst who claims there appear to be at least five hacking groups actively exploiting the Exchange Server flaws as of Saturday. Government officials are reportedly scrambling to do something, with one state official telling Cyberscoop that it’s “a big F’ing deal.”
More diplomatically, White House press secretary Jen Psaki called it “an active threat,” drawing more attention to the emergency directive that the Department of Homeland Security’s cybersecurity agency sent out March 3rd. White House national security adviser Jake Sullivan has warned about it as well, as has former Cybersecurity and Infrastructure Security Agency director Christopher Krebs and the White House National Security Council.
This is the real deal. If your organization runs an OWA server exposed to the internet, assume compromise between 02/26-03/03. Check for 8 character aspx files in C:\inetpubwwwrootaspnet_clientsystem_web. If you get a hit on that search, you’re now in incident response mode. https://t.co/865Q8cc1Rm
— Chris Krebs (@C_C_Krebs) March 5, 2021
Patching and mitigation is not remediation if the servers have already been compromised. It is essential that any organization with a vulnerable server take immediate measures to determine if they were already targeted. https://t.co/HYKF2lA7sn
— National Security Council (@WHNSC) March 6, 2021
At this point, the message should be clear that anyone who installed a local Microsoft Exchange Server (2010, 2013, 2016, or 2019) needs to patch and scan, but we’re only beginning to understand the scope of the damage. Hackers reportedly installed malware that can let them right back into those servers again, and we don’t yet know what they might have already taken.
“We are undertaking a whole of government response to assess and address the impact,” reads part of an email from a White House official, according to Bloomberg.
Microsoft declined to comment about the timing of its patches and disclosures, pointing us to a previous statement instead: “We are working closely with the CISA, other government agencies, and security companies, to ensure we are providing the best possible guidance and mitigation for our customers. The best protection is to apply updates as soon as possible across all impacted systems. We continue to help customers by providing additional investigation and mitigation guidance. Impacted customers should contact our support teams for additional help and resources.”
Update, 4:27PM ET: Added Microsoft’s decline to comment, and earlier statement.